Pwnable.kr Level 1 Writeup

  • A+
所属分类:安全博客

Pwnable.kr Level 1 Writeup

Last updated:Mar.23, 2017 CST 23:47:23

Just make some notes. Totally used about 24 hours.

The admin said that the writeup of other levels should not be shared...But it will not affect me yet, since I haven't do them yet ;).

collision

Just use perl

bof

Notice, the padding should be 52, not 32. And your terminal emulator might do bad things....

flag

RCE. So easy. Unpack manually and break at memcpy.

passcode

How to override fflush()?

random

Try to learn something about rand() and srand()...

input

Complex. But just try... Kind of boring.

leg

You need to see how the ARM fetch instructions. Interestring!

mistake

Time to print an priority table of C, and paste on your laptop.

shellshock

Just normal things. Nothing to mention about it.

coin1

good practice for the algo

blackjack

Another example of wrong type

lotto

try-and-fail. boring

cmd1 and cmd2

Many solutions are using PATH. But I love vim.

uaf

Block size is 0x18 bytes, so we need to free and get two 18 bytes block via the second option, which means the previous two blocks can be written. We can write a fake vTable address and modify the function pointer.

codemap

At least two available solutions:

  1. Write a debugger snippet to check parameters and return values of malloc
  2. Use "Heap Analyzer" in the Visual Studio

memcpy

If you got a SIGSEV, it might be caused by unaligned memory. Try to solve it. Notice that the management structure also took some space.

asm

Simple. Learn to use pwntools.

Looks like ptmalloc unlink. But site admin's solution is interestring.

FROM :blog.iret.xyz | Author:blog.iret.xyz

相关推荐: Unsafe file download

文件下载漏洞概述文件下载功能在很多web系统上都会出现,一般我们当点击下载链接,便会向后台发送一个下载请求,一般这个请求会包含一个需要下载的文件名称,后台在收到请求后 会开始执行下载代码,将该文件名对应的文件response给浏览器,从而完成下载。 如果后台在…

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: